Amebis/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed a buffer overflow (!) in wxHtmlTagsCache

Browse Source 
git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@14837 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
This commit is contained in:
Vadim Zeitlin
2002-03-28 12:52:27 +00:00
parent 0f243af310
commit 8cd82622a0
1 changed files with 35 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
src/html/htmltag.cpp
View File

@@ -62,14 +62,14 @@ wxHtmlTagsCache::wxHtmlTagsCache(const wxString& source)
const wxChar *src = source.c_str(); const wxChar *src = source.c_str();
int i, tg, pos, stpos; int i, tg, pos, stpos;
int lng = source.Length(); int lng = source.Length();
wxChar dummy[256]; wxChar tagBuffer[256];
m_Cache = NULL; m_Cache = NULL;
m_CacheSize = 0; m_CacheSize = 0;
m_CachePos = 0; m_CachePos = 0;
pos = 0; pos = 0;
while (pos < lng) while (pos < lng)
{ {
if (src[pos] == wxT('<')) // tag found: if (src[pos] == wxT('<')) // tag found:
{ {
@@ -77,19 +77,18 @@ wxHtmlTagsCache::wxHtmlTagsCache(const wxString& source)
m_Cache = (wxHtmlCacheItem*) realloc(m_Cache, (m_CacheSize + CACHE_INCREMENT) * sizeof(wxHtmlCacheItem)); m_Cache = (wxHtmlCacheItem*) realloc(m_Cache, (m_CacheSize + CACHE_INCREMENT) * sizeof(wxHtmlCacheItem));
tg = m_CacheSize++; tg = m_CacheSize++;
m_Cache[tg].Key = stpos = pos++; m_Cache[tg].Key = stpos = pos++;
dummy[0] = 0; i = 0;
while (pos < lng && for ( i = 0;
src[pos] != wxT('>') && pos < lng && i < WXSIZEOF(tagBuffer) - 1 &&
src[pos] != wxT(' ') && src[pos] != wxT('\r') && src[pos] != wxT('>') && !wxIsspace(src[pos]);
src[pos] != wxT('\n') && src[pos] != wxT('\t')) i++, pos++ )
{ {
dummy[i] = src[pos++]; tagBuffer[i] = wxToupper(src[pos]);
if ((dummy[i] >= wxT('a')) && (dummy[i] <= wxT('z'))) dummy[i] -= (wxT('a') - wxT('A'));
i++;
} }
dummy[i] = 0; tagBuffer[i] = _T('\0');
m_Cache[tg].Name = new wxChar[i+1]; m_Cache[tg].Name = new wxChar[i+1];
memcpy(m_Cache[tg].Name, dummy, (i+1)*sizeof(wxChar)); memcpy(m_Cache[tg].Name, tagBuffer, (i+1)*sizeof(wxChar));
while (pos < lng && src[pos] != wxT('>')) pos++; while (pos < lng && src[pos] != wxT('>')) pos++;
@@ -98,14 +97,14 @@ wxHtmlTagsCache::wxHtmlTagsCache(const wxString& source)
m_Cache[tg].End1 = m_Cache[tg].End2 = -2; m_Cache[tg].End1 = m_Cache[tg].End2 = -2;
// find matching begin tag: // find matching begin tag:
for (i = tg; i >= 0; i--) for (i = tg; i >= 0; i--)
if ((m_Cache[i].End1 == -1) && (wxStrcmp(m_Cache[i].Name, dummy+1) == 0)) if ((m_Cache[i].End1 == -1) && (wxStrcmp(m_Cache[i].Name, tagBuffer+1) == 0))
{ {
m_Cache[i].End1 = stpos; m_Cache[i].End1 = stpos;
m_Cache[i].End2 = pos + 1; m_Cache[i].End2 = pos + 1;
break; break;
} }
} }
else else
{ {
m_Cache[tg].End1 = m_Cache[tg].End2 = -1; m_Cache[tg].End1 = m_Cache[tg].End2 = -1;
} }
@@ -115,7 +114,7 @@ wxHtmlTagsCache::wxHtmlTagsCache(const wxString& source)
} }
// ok, we're done, now we'll free .Name members of cache - we don't need it anymore: // ok, we're done, now we'll free .Name members of cache - we don't need it anymore:
for (i = 0; i < m_CacheSize; i++) for (i = 0; i < m_CacheSize; i++)
{ {
delete[] m_Cache[i].Name; delete[] m_Cache[i].Name;
m_Cache[i].Name = NULL; m_Cache[i].Name = NULL;
@@ -125,12 +124,12 @@ wxHtmlTagsCache::wxHtmlTagsCache(const wxString& source)
void wxHtmlTagsCache::QueryTag(int at, int* end1, int* end2) void wxHtmlTagsCache::QueryTag(int at, int* end1, int* end2)
{ {
if (m_Cache == NULL) return; if (m_Cache == NULL) return;
if (m_Cache[m_CachePos].Key != at) if (m_Cache[m_CachePos].Key != at)
{ {
int delta = (at < m_Cache[m_CachePos].Key) ? -1 : 1; int delta = (at < m_Cache[m_CachePos].Key) ? -1 : 1;
do do
{ {
m_CachePos += delta; m_CachePos += delta;
} }
while (m_Cache[m_CachePos].Key != at); while (m_Cache[m_CachePos].Key != at);
} }
@@ -148,7 +147,7 @@ void wxHtmlTagsCache::QueryTag(int at, int* end1, int* end2)
IMPLEMENT_CLASS(wxHtmlTag,wxObject) IMPLEMENT_CLASS(wxHtmlTag,wxObject)
wxHtmlTag::wxHtmlTag(wxHtmlTag *parent, wxHtmlTag::wxHtmlTag(wxHtmlTag *parent,
const wxString& source, int pos, int end_pos, const wxString& source, int pos, int end_pos,
wxHtmlTagsCache *cache, wxHtmlTagsCache *cache,
wxHtmlEntitiesParser *entParser) : wxObject() wxHtmlEntitiesParser *entParser) : wxObject()
{ {
@@ -170,7 +169,7 @@ wxHtmlTag::wxHtmlTag(wxHtmlTag *parent,
m_Prev = NULL; m_Prev = NULL;
/* Find parameters and their values: */ /* Find parameters and their values: */
int i; int i;
wxChar c; wxChar c;
@@ -178,18 +177,18 @@ wxHtmlTag::wxHtmlTag(wxHtmlTag *parent,
i = pos+1; i = pos+1;
// find tag's name and convert it to uppercase: // find tag's name and convert it to uppercase:
while ((i < end_pos) && while ((i < end_pos) &&
((c = source[i++]) != wxT(' ') && c != wxT('\r') && ((c = source[i++]) != wxT(' ') && c != wxT('\r') &&
c != wxT('\n') && c != wxT('\t') && c != wxT('\n') && c != wxT('\t') &&
c != wxT('>'))) c != wxT('>')))
{ {
if ((c >= wxT('a')) && (c <= wxT('z'))) if ((c >= wxT('a')) && (c <= wxT('z')))
c -= (wxT('a') - wxT('A')); c -= (wxT('a') - wxT('A'));
m_Name << c; m_Name << c;
} }
// if the tag has parameters, read them and "normalize" them, // if the tag has parameters, read them and "normalize" them,
// i.e. convert to uppercase, replace whitespaces by spaces and // i.e. convert to uppercase, replace whitespaces by spaces and
// remove whitespaces around '=': // remove whitespaces around '=':
if (source[i-1] != wxT('>')) if (source[i-1] != wxT('>'))
{ {
@@ -197,22 +196,22 @@ wxHtmlTag::wxHtmlTag(wxHtmlTag *parent,
c == wxT('\n') || c == wxT('\t')) c == wxT('\n') || c == wxT('\t'))
wxString pname, pvalue; wxString pname, pvalue;
wxChar quote; wxChar quote;
enum enum
{ {
ST_BEFORE_NAME = 1, ST_BEFORE_NAME = 1,
ST_NAME, ST_NAME,
ST_BEFORE_EQ, ST_BEFORE_EQ,
ST_BEFORE_VALUE, ST_BEFORE_VALUE,
ST_VALUE ST_VALUE
} state; } state;
quote = 0; quote = 0;
state = ST_BEFORE_NAME; state = ST_BEFORE_NAME;
while (i < end_pos) while (i < end_pos)
{ {
c = source[i++]; c = source[i++];
if (c == wxT('>') && !(state == ST_VALUE && quote != 0)) if (c == wxT('>') && !(state == ST_VALUE && quote != 0))
{ {
if (state == ST_BEFORE_EQ || state == ST_NAME) if (state == ST_BEFORE_EQ || state == ST_NAME)
{ {
@@ -289,7 +288,7 @@ wxHtmlTag::wxHtmlTag(wxHtmlTag *parent,
break; break;
} }
} }
#undef IS_WHITE #undef IS_WHITE
} }
m_Begin = i; m_Begin = i;
@@ -343,7 +342,7 @@ int wxHtmlTag::ScanParam(const wxString& par,
bool wxHtmlTag::GetParamAsColour(const wxString& par, wxColour *clr) const bool wxHtmlTag::GetParamAsColour(const wxString& par, wxColour *clr) const
{ {
wxString str = GetParam(par); wxString str = GetParam(par);
if (str.IsEmpty()) return FALSE; if (str.IsEmpty()) return FALSE;
if (str.GetChar(0) == wxT('#')) if (str.GetChar(0) == wxT('#'))
{ {
@@ -394,7 +393,7 @@ bool wxHtmlTag::GetParamAsInt(const wxString& par, int *clr) const
wxString wxHtmlTag::GetAllParams() const wxString wxHtmlTag::GetAllParams() const
{ {
// VS: this function is for backward compatiblity only, // VS: this function is for backward compatiblity only,
// never used by wxHTML // never used by wxHTML
wxString s; wxString s;
size_t cnt = m_ParamNames.GetCount(); size_t cnt = m_ParamNames.GetCount();
@@ -417,7 +416,7 @@ wxHtmlTag *wxHtmlTag::GetFirstSibling() const
else else
{ {
wxHtmlTag *cur = (wxHtmlTag*)this; wxHtmlTag *cur = (wxHtmlTag*)this;
while (cur->m_Prev) while (cur->m_Prev)
cur = cur->m_Prev; cur = cur->m_Prev;
return cur; return cur;
} }
@@ -430,7 +429,7 @@ wxHtmlTag *wxHtmlTag::GetLastSibling() const
else else
{ {
wxHtmlTag *cur = (wxHtmlTag*)this; wxHtmlTag *cur = (wxHtmlTag*)this;
while (cur->m_Next) while (cur->m_Next)
cur = cur->m_Next; cur = cur->m_Next;
return cur; return cur;
} }
@@ -442,7 +441,7 @@ wxHtmlTag *wxHtmlTag::GetNextTag() const
if (m_Next) return m_Next; if (m_Next) return m_Next;
wxHtmlTag *cur = m_Parent; wxHtmlTag *cur = m_Parent;
if (!cur) return NULL; if (!cur) return NULL;
while (cur->m_Parent && !cur->m_Next) while (cur->m_Parent && !cur->m_Next)
cur = cur->m_Parent; cur = cur->m_Parent;
return cur->m_Next; return cur->m_Next;
} }